Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

The top 10 windows logs event id's used v1.0

1.
1
The Top 10 Windows Event ID's Used
To Catch Hackers In The Act
Michael Gough
Lead Incident Response

2.
2
What will be covered during this talk
• Windows logs are solid gold if you know what to Enable,
Configure, Gather and Harvest. When hacked they can tell
you what you need to know to find and harvest the malware
and what occurred. This talk walks through simple commodity
malware seen in SPAM and drive-bys to a Chinese advanced
attack and what Top Windows Event Codes and
information in the logs allowed us to harvest their malware
and understand what, where and when they were doing it.
• Details of the attack from the logs and the queries used will
be covered and shared to allow you to catch a similar type of
attack. This talk will show an advanced attack at its finest, but
is designed to be Blue Team Defense in nature so you can
learn from those that deal with malware and advanced attacks
almost daily.
• What works and why will also be discussed

3.
3
Disclaimer
The information in this presentation and
opinions are mine alone and do not reflect
those of my current or past employers.
MalwareArchaeology.com

6.
6
Hackers, Malware and Logs
• I am a Logoholic
• I love malware, malware discovery and malware
management
• But once I find an infected system, what happened
before I found it?
• Was there more than one system involved?
• Did the Malwarian do more?
• What behavior did the system or systems have after the
initial infection?
• Who was Patient 0?
• Logs are the perfect partner to malware!
MalwareArchaeology.com

7.
7
So why listen to me?
• I have been there
• In the worst way
• Found malware quickly
• Discovered 10 months before the Kaspersky report – June
2012
• We needed more… Who, What, Where, When and How
• We found the logs were not fully enabled or configured
and couldn’t get the data we needed
• Once the logs from endpoints were enabled and
configured, we saw all kinds of cool stuff, it showed the
How that we ALL NEED
MalwareArchaeology.com

8.
8
8
So what is the problem
we are trying to solve?
MalwareArchaeology.com

10.
10
What is Coming
• Statistics showing prevalence of weaponized document attacks as top
threat in 4th quarter of 2015.
MalwareArchaeology.com

11.
11
Why we should care
Mandiant M-Trends 2016 Report
• Numbers always tell a story, but it’s the interpretation of those numbers
that holds the real value. The median number of days an organization was
compromised in 2015 before the organization discovered the breach (or
was notified about the breach) was 146. This continues a positive
improvement since we first measured 416 days in 2012. Additionally, the
median number was 205 days in 2014, which means we witnessed a drop
of more than 50 days in 2015! Obviously, as an industry, we are getting
better at detecting breaches. On a positive note, companies that detected
the breach on their own had a median number of 56 days compromised.
The takeaway is that we are getting better as an industry, but there is still
work left to do!
• 2012 – 416 days MTTD
• 2014 – 205 days MTTD
• 2015 – 146 days MTTD
• 2015 – 56 days MTTD for companies that detected it themselves
MalwareArchaeology.com

20.
20
Winnti – A campaign against the Gaming industry
• Kaspersky was the first to report on Winnti
• Then came the publically released report in
2013
MalwareArchaeology.com
• Followed up in 2014 with another wave of
attacks
• Now the group is expanding
• Kaspersky Report
– http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-
130410.pdf
• Novetta did a Winnti Analysis
– https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

21.
21
Like all malware.. It and they
evolve
• First gaming
• Then Telecoms and BIG
Pharma
• Now So. Korea, UK &
Russia businesses
• We must learn and
evolve with them
MalwareArchaeology.com

26.
26
You can even capture their
Credentials
26
Caught THEIR
Credentials!
MalwareArchaeology.com

27.
27
With what we have just seen
What can we do with logs?
MalwareArchaeology.com

28.
28
More than you would have ever guessed!
•Not only detect retail PoS malware (BackOff) that
hit Target, Neiman Marcus and Michael’s
•Government sponsored malware like Regin,
Cleaver, Stuxnet, Duqu, Flamer, etc.
•Yes, even the really bad stuff like Winnti, well good
stuff to me ;-)
•You can lower your MTTD to days if not hours
•IF... you know what to look for
MalwareArchaeology.com

30.
30
Improve Security with Endpoint Data
•Great coverage with 10 events per system, not
60,000 alerts like we heard the retailers had
•If you get 10, then 20, then 30 alerts… you should
be kicking into Incident Response mode
•Of course there are more, but this is where to start
MalwareArchaeology.com

42.
42
Some tips to save on data that
you collect with your
Log Management solution
MalwareArchaeology.com

43.
43
Do’s and Don’ts
Reducing or excluding events (save on license)
• Event ID’s 4688 & 4689 (New Process Start/Stop) and 5156
& 5158 (Windows Firewall) will be the Top 4 Events in
quantity!
• Storage and License required to gather all these events
• 4689 and 5158 CAN be excluded as least valuable that
is 50% savings
• Do NOT exclude by EventID’s that you want, exclude them
by the Message within the EventID
• I want 4688, but not splunk*.exe or googleupdate.exe, so
exclude by New_Process_Name to reduce normal noise
• I want 5156, but not things that are normal to execute, so
exclude by Application_Name
43
MalwareArchaeology.com

44.
44
A sample query using Splunk for
the #1 alert that ALL Log
Management solutions should
MUST have
MalwareArchaeology.com

45.
45
4688 (New Process Started)
You can add any or all Windows Admin Utilities
in System32 or SysWOW64
• index=windows source="WinEventLog:Security" (EventCode=4688) NOT (Account_Name=*$)
=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR
cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe
OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR
OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR
psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe
OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR
sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR
system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR
whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe
OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval
Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name,
Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID,
Creator_Process_ID, Short_Message
45
MalwareArchaeology.com

51.
51
Windows Firewall Logging
• Set to ANY/ANY mode if Windows Firewall not used. Filter out
5158 events as these are not needed
• Do NOT disable in Root OU, put lower so you can add and remove
systems to the OU to apply this rule
• Of course enable the Win F/W everywhere and collect locally, there
is no good reason not to
• Export to CSV for manual processing or (or use LOG-MD)
• Do WhoIS lookup to resolve the Company, Country, etc.
• Create a large Whitelist of good IP’s (lookup list)
• Exclude Browsers from one search. The list of IP’s will be much
smaller for non browser executables talking to external IP’s
51
MalwareArchaeology.com

55.
55
4663 (File/Reg Auditing) – In Splunk
55
Using LOG-MD we were able to enable and expand File and Registry auditing and use the results to
tweak the audit locations to reduce noise or events that are not needed, saving on license and storage
If it were not for LOG-MD testing, we would have never caught Dridex creating a key on shutdown and
deleting that key on startup for persistence.!
File and Registry auditing for shutdown and startup is VERY
powerful
MalwareArchaeology.com

56.
56
File and Registry Auditing tips
Add this slowly and keep it simple or you will create a lot of
noise
• Set via the GUI (Booo)
• Or use a PowerShell script, GPO, etc.
• Or by Security Policy file
• Make one for each File and Registry, apply via GPO or locally with “secedit”
• Audit only for:
• Files - WriteData (or AddFile), Create folders / append data, Change permissions,
Take ownership
• Registry – Set Value, Delete, Write DAC, Write Owner are optional
• NEW is what we want... Malware needs to be added
• Start with simple items like Run Keys, Firewall policy, keys that are HIGH value
• Remember there are 2 Cheat Sheets to help you with this
• “Windows File Auditing Cheat Sheet”
• “Windows Registry Auditing Cheat Sheet”
56
MalwareArchaeology.com